If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!

A really good password should include, I'd say, at the very least 12 characters (more is better; most of mine are at least 25 characters long), and include both upper and lower case letters, numbers and symbols. How many of each specific letter/number/symbol is not really important, at least compared to the total length of the password itself.

The thing to try to achieve is lowering the chance of any kind of brute-force attack to be successful within a reasonable time period by increasing the total number of possibilities for each individual character. The more varied the characters in the password, the stronger it is--even with a given number of total characters. If at least one of each group of characters is used (uppercase, lowercase, symbols, numbers), every added character adds a large number of possibilities to have to go through in order to be able to successfully brute-force the password.

Length and complexity are the key; the idea is to increase the total number of possible combinations to make it take an extremely long time to crack, and each added character adds to that time. But equally importantly... don't use the same username/password combo across more than one site! This is especially true with passwords used for sensitive (ie. bank) accounts. You don't want to use those ones for web forums, online VoIP services, online pizza delivery services, etc.

Steve Gibson and Leo Laporte have talked a lot about this on Security Now. Here is a link useful page on Steve's site with an interesting clip halfway down the page taken from one of their podcasts (episode 303, I believe):

Care to say what your references are, what your complaints are of his views on security, and how you do things differently? Many of the things I do really are, IMO, common sense and can be found at various web sites; Steve just happens to have made a few podcast episodes that put it all together and explains it nicely in ways that are easy to understand.

That said, just go use the password "pee" or "poop" or something like that if you want. As far as I know he never recommended anything like that, so it must be safe!

Funny, because Mark Russinovich was on a recent episode of Security Now as a guest to talk about a sci-fi book he wrote, so apparently Mark must get in contact with Steve and not think he's a total joke like that blog post would like you to believe... and that article specifically mentions Mark as one of the greats to look up to. Ironic.

Unfortunately all of those things are easily crackable by current attack algorithms.

Common misconceptions with password security:

* concatenating words together is more secure == false. Modern attacks use a dictionary of words and tries combinations of such words concatenated.

* using txt spk / l33t style words are harder to crack than common words == false. Modern dictionaries have every imaginable combination of number and non-alpha/numeric substitutions of letters as well as plain English words.

* using non-English words are more secure == false. Dictionaries include words from most languages, proper-nouns and even slang that isn't technically part of any language.

Password cracking has come a long way in the last few years and current security advice hasn't kept up with development. In my opinion there's only 3 things you can do to have a truly secure password:

1/ use a password hash. This will be a mixture of alpha, numerics and symbols. Generate this hash from any site like this: http://www.insidepro.com/hashes.php?lang=eng and have the website / application name as the salt and the same password as the password. This way you get a unique, non-guessable password for each service and an easy way for you to "keep" your passwords without having to write them down nor store them in any digital keychains.

2/ use a unique password for each service. I'd already mentioned that above, but it's so important it needs repeating.

3/ at all times possible, use key based systems (eg SSH keys instead of login passwords). Even just 2048bit RSA keys are significantly more difficult to crack than 99% of passwords. Sadly though, key based systems are rarely available for most systems.

I'm ignorant on these matters, but I don't see how passphrases could feasibly be cracked using dictionary based attacks.

The number of possible words and alternate "spellings" is large, especially if you consider multiple languages as you've mentioned.

You also mentioned "without writing it down", but I was under the impression that was also out of date ideas about password protection. The chances of someone physically getting your password is practically zero, since most people won't risk it, most people aren't that important, and those who do risk stealing things generally aren't after written down passwords (assuming they know the username the person uses).

I'm ignorant on these matters, but I don't see how passphrases could feasibly be cracked using dictionary based attacks.

The number of possible words and alternate "spellings" is large, especially if you consider multiple languages as you've mentioned.

While you're right that such attacks would require massive dictionary of words - it's still significantly more streamlined than a typical 'brute force attack' which will try every character combination individually.

You also mentioned "without writing it down", but I was under the impression that was also out of date ideas about password protection. The chances of someone physically getting your password is practically zero, since most people won't risk it, most people aren't that important, and those who do risk stealing things generally aren't after written down passwords (assuming they know the username the person uses).

You're talking about 'security through obscurity' and that's a pretty bad philosophy to have.

There's been cases where 'normal' individuals like ourselves have become over-night public figures because of stories that break out in the press (eg relatives of crime suspects) and have subsequently been stalked over social media by reporters after a cheap story.

There's also cases about answer phone hacking that broke out earlier this year and many of those cases were against regular people.

And finally, regular people do get their accounts hacked all the time (eg my Paypal account was hacked a few years ago)

"I'm ignorant on these matters, but I don't see how passphrases could feasibly be cracked using dictionary based attacks.

The number of possible words and alternate "spellings" is large, especially if you consider multiple languages as you've mentioned.

While you're right that such attacks would require massive dictionary of words - it's still significantly more streamlined than a typical 'brute force attack' which will try every character combination individually. "

But from the point of view of the cracker, a passphrase containing words is indistinguishable from a password of the same length with random letters, numbers and symbols.

First, they have to make the assumption that the passphrase is made of words, rather than just a long password. Then they have to test out combinations of words. So you have word choices of possibly over 10,000 words per word; you have alternative "spellings" of those words which can be a mixture of capitals and lower case and numbers making the word choice at least twice as many; then you have combinations of words for an unbounded number of words in the sentence. Then there's the problem of how the words are joined together.

A quick search doesn't turn up anything significant about dictionary based attacks on passhprases for me, so I don't know how much research has been done on it.

"
You also mentioned "without writing it down", but I was under the impression that was also out of date ideas about password protection. The chances of someone physically getting your password is practically zero, since most people won't risk it, most people aren't that important, and those who do risk stealing things generally aren't after written down passwords (assuming they know the username the person uses).

You're talking about 'security through obscurity' and that's a pretty bad philosophy to have.

There's been cases where 'normal' individuals like ourselves have become over-night public figures because of stories that break out in the press (eg relatives of crime suspects) and have subsequently been stalked over social media by reporters after a cheap story.

There's also cases about answer phone hacking that broke out earlier this year and many of those cases were against regular people.

And finally, regular people do get their accounts hacked all the time (eg my Paypal account was hacked a few years ago)

So don't think that your relative obscurity will protect you. "
[/q]

I'm not talking about security through obscurity, but the relative unlikeliness that a password written down will be any less safe. Your hacked Paypal account was not hacked because you wrote down your password and it was copied somehow. None of the hacking cases, as far as I know, was because they wrote down the password.

The threat of hacking is not remedied by obscurity, but the stealing of passwords that are written down is mitigated by obscurity.

There's been a few articles in recent times about the whole "don't write down the password" being outdated advice. People regularly forgetting passwords and needing them to be reset opens up to many potential mim or phishing attacks posing as the password reset service.

But from the point of view of the cracker, a passphrase containing words is indistinguishable from a password of the same length with random letters, numbers and symbols.

That's besides the point as crackers are using the method I described and for the reasons I've described. Hence why I advised using random characters instead.

First, they have to make the assumption that the passphrase is made of words, rather than just a long password.

they do make that assumption because they understand user habits when creating passwords. As I've already stated, so many passwords have been leaked in recent years that there's a wealth of data to build more intelligent routines. Gone are the days when "dumb" brute force attack was the preferred method of attack.

Then they have to test out combinations of words. So you have word choices of possibly over 10,000 words per word; you have alternative "spellings" of those words which can be a mixture of capitals and lower case and numbers making the word choice at least twice as many; then you have combinations of words for an unbounded number of words in the sentence. Then there's the problem of how the words are joined together.

Indeed, but that's still significantly permutations that a blind brute force attack.

A quick search doesn't turn up anything significant about dictionary based attacks on passhprases for me, so I don't know how much research has been done on it.

That's because, and as I've already stated, the old advice is still pretty much widespread. I've been following blogs of a number of security researchers in recent years (as my profession is moving into that arena) and the advice I'm giving is what I've read industry experts advice.

The only people I've seen that suggest otherwise are blogs by journalists and system administrators - which with the greatest of respect to them, are not working as close to this field to understand the latest developments in cracking. Much like how I wouldn't expect professional application develops to keep up with the latest security patches for *nix platforms. After all, IT is a massive field these days.

Anyhow, I'll have a dig out for some of the blogs I've read that supports these claims I'm making. If you don't mind checking back in a couple of hours

(sorry for replying to you over two posts - i didn't spot the 2nd half of your reply until I'd already responded)

I'm not talking about security through obscurity, but the relative unlikeliness that a password written down will be any less safe.

Your hacked Paypal account was not hacked because you wrote down your password and it was copied somehow. None of the hacking cases, as far as I know, was because they wrote down the password.

Which is what "security through obscurity" means. I do sympathise with your sentiment, but discussing the likelihood of being targeted or having a stored password located does fall under security through obscurity. and while you are right that the likelihood is low, I'd rather offer up some genuine security advice instead of luring people into complacency. After all, unlikely scenarios do haven all the time.

The advice I have was to use a hash generator to provide a random password. This way you don't need to store passwords as you only need to remember 1 password (and the salt, but the salt will be your application / website name) and from that you can just generate your password each time you need to log in and you can guarantee to have the same password for that service each time.

Thus with my method, you have a random, unique and secure password for each service - and not be forced into a position of having to write your passwords down. it's a win-win.

* concatenating words together is more secure == false. Modern attacks use a dictionary of words and tries combinations of such words concatenated.

* using txt spk / l33t style words are harder to crack than common words == false. Modern dictionaries have every imaginable combination of number and non-alpha/numeric substitutions of letters as well as plain English words.

* using non-English words are more secure == false. Dictionaries include words from most languages, proper-nouns and even slang that isn't technically part of any language.

Password cracking has come a long way in the last few years and current security advice hasn't kept up with development.

Use lower case: 26 possibilities
Use upper case: 26 possibilities
Use numbers: 10 possibilities
Use punctuation: 32 possibilites
Use them all: 94 possibilities per character

Using English is the easiest way to fall victim to dictionary attacks. Put in another language and suddenly the cracker would have to include 20+ dictionaries. Put in a dialect and the cracker would need to put 2000+ dictionaries in.

How can you possibly claim that increasing the possibilities is _not_ more secure?

Use lower case: 26 possibilities
Use upper case: 26 possibilities
Use numbers: 10 possibilities
Use punctuation: 32 possibilites
Use them all: 94 possibilities per character

Using English is the easiest way to fall victim to dictionary attacks. Put in another language and suddenly the cracker would have to include 20+ dictionaries. Put in a dialect and the cracker would need to put 2000+ dictionaries in.

How can you possibly claim that increasing the possibilities is _not_ more secure?

You're missing my point. Modern attacks aren't the old style brute force attacks which would try every combination of character. Instead they have every more sophisticated dictionaries (I'm not sure if those are hardcoded possibilities or heuristics).

The problem is we've had an influx of leaked passwords over recent years. Nearly every month another website gets hacked and passwords are leaked - and this provides a massive amount of source to learn user behaviour when selecting passwords which in turn allow attacked to build more intelligent cracking tools.

So I'm not saying that your examples are less secure than having plain English passwords; what I'm saying is that such passwords isn't more secure these days. What is more secure is a random hash of characters or doing away with passwords entirely - which is what I actually advocated if you go back and re-read my post.

You're missing my point. Modern attacks aren't the old style brute force attacks which would try every combination of character. Instead they have every more sophisticated dictionaries (I'm not sure if those are hardcoded possibilities or heuristics).

The problem is we've had an influx of leaked passwords over recent years. Nearly every month another website gets hacked and passwords are leaked - and this provides a massive amount of source to learn user behaviour when selecting passwords which in turn allow attacked to build more intelligent cracking tools.

You're kind of switching the bait here.

The second paragraph only provides knowledege for old style single-word passwords. A passphrase is made up of multiple words, which is much more difficult to analyse behaviour.

Assuming that the cracker somehow can distinguish a passphrase from a long password, they're just confronted with using an almost brute force attack on the word combinations.

Using a 10,000 word dictionary, a passphrase of five words is a space of 100,000,000,000,000,000,000 possibilities. The English language alone has about 250,000 words depending on the OED estimate.

I'm really not. I might not be explaining things that well (English isn't me strongest skill), but my advice here has been consistent.

The second paragraph only provides knowledege for old style single-word passwords. A passphrase is made up of multiple words, which is much more difficult to analyse behaviour.

You're making an assumption that dictionary attacks can only work against a single instance within the dictionary file. What modern dictionary attacks actually do is use a the dictionary as a basis for a "brute force-style" attack.

Let me explain this better:
the old style brute force attack would try every character permutation (eg (if you don't mind some crude regex) m/[0-9a-zA-Z]/ and any symbols opted for).

Modern dictionary attacks use the dictionary as a bases for building the permutations. So if the dictionary file has: add, dad, bad then the attack will use add, dad, bad, addadd, adddad, addbad, dadadd, daddad, dadbad, badadd, baddad, badbad plus the "l33t" variants ("d4d") formating variants ("dad dad", "dad!") and so on.

So while it's technically still a dictionary based attack, it's significantly more sophisticated than a standard dictionary attack yet also significantly quicker to run through likely permutations than the old style brute force attack.

Assuming that the cracker somehow can distinguish a passphrase from a long password, they're just confronted with using an almost brute force attack on the word combinations.

Using a 10,000 word dictionary, a passphrase of five words is a space of 100,000,000,000,000,000,000 possibilities. The English language alone has about 250,000 words depending on the OED estimate.

Indeed. But the point is that's still massively quicker than doing every character permutation.

To put it another way, you stated that 5 word match might offer up 10^19 combinations (which I think is an over-estimate, but I'm still willing to use those figures), using a standard brute force attack offers up (10+26+26+20)^16 combinations (10 numeric characters, 26 alpha in both cases and 20 symbols) for a 16 character sequence. That works out at 2044140858654976 possible solutions and that's not even the entire length of an average 5 word string (which is what you're basing your example on).

So an intelligent dictionary attack really is the better cracking routing and why you have to assume that attackers are using it.

This is getting beyond my level of expertise, but what I'm saying is generating a password of five words is different to figuring out that the password actually has five words.

10^19 is just a lower bound for a 10,000 word dictionary. Counting variations of those words, whether it's a change in casing or a numerical substition, you have at least an order of magnitude more word choices for each word. There's no requirement for there to be syntactical or grammatical structure to the passphrase.

z/OS supports passphrases of 100 characters long, which may be 10 or 20 words long, which obviously has a greater space of valid passwords than the 20 character passwords boxes that some sites are adopting. A 20 word sentence is more memorizable than a 20 character random string let alone a 100 character random string.

But, and as I've repeatedly stated, if you use a password hash generator (plenty of free tools online) then you can have a memorable password and a secure password.

Basically, find an online password hash generator, use the same password for every website / application and a salt being the site/app name. For example, using http://www.insidepro.com/hashes.php I could do the following:
password "i like steak"
hash "osnews.com"
user "laurence"
and I would get a password of something like "fK8dyanyjaLzEqohAixCjl+FbLbELvwphJPC0yce7xY7ZuO0TP4OBGZ/a/iqqvquh9Ht Q+5Pwcoq8nOa5rGlvQ==" for a sha512 encoding.

That's a random password which is 88 characters long, unique for each website and memorable (as all I need to remember is "i like steak" for every site.

Take something that means a lot to you but nothing to strangers. Example: name, place and date of birth of somebody you hold dear (not yourself, too easy to guess), add a few random characters. Done!
BTW, it shouldn't be somebody who has a Facebook account!

I realize this won't work for everyone, but I have a knack for remembering long strings of random characters. My vehicle's VIN alternated with a Windows 98 key that I still have the CoA for up in the attic, along with my uncle's Romanian name, make for a nearly uncrackable but easy to remember password.

To be able to use it for different accounts, I just add a mnemonic related to that site. For local security, of course, I just use a simple 8 to 10 character alphanumeric string. That's more than enough to deter the few friends and family that visit my home.

Me too. That's one hell of a skill he's got. I have to maintain a few text files to keep track track of my passwords; partially because I've got so many, but also because they're all pretty long and complex, and many of my important ones are similar but subtly different so they couldn't be used across accounts even if they were cracked.

Then again, I never made an attempt to remember my passwords and I tend to just use the web browser's password manager most of the time. The main exception here is on my phone; I would never store any passwords on a computer I take everywhere I go that I could easily lose, forget somewhere I go or have stolen.

That said... I am considering eventually attempting to remember my three Google account passwords, because it's kind of a pain when I am automatically logged out for my protection and I'm basically locked out until I get home to check my password files.

By the way... any Google users, if you have important data on your account, it would be a good idea to use Google's two-step authentication. Works with any phone, though probably best with a cell phone (text message) or, even better, with the Google Authenticator app.

I had an eidetic memory as a child; I remember being able to read an entire encyclopedia page and recite it back with about 95% accuracy at six years old. Unfortunately it started fading away as I got older. I still recall a lot more than the average person after reading a passage or string, but it's a shadow of what I could do as a child.

Still, it's good enough to remember important alphanumeric strings. My limit is about 35 characters, give or take, and it helps if it's a pattern that I recognize. That's why I use the VIN/license key combo; I deal with VINs daily at my full time job and reinstalling Windows 98 every few months made it easy to recall that key. I also tend to memorize phone numbers, my credit and debit cards, and other pattern based strings very easily.

Damn. It took me almost a year to remember my cell phone number with enough reliability that I would not screw it up when someone asked me what it is (and I still occasionally get confused or my mind goes blank).

Back when I was toying around with Google Voice earlier this year and I was considering giving it a try, the ability to choose a certain area code and even a string of letters when picking a number was really appealing to me. I'm just horrible with remembering phone numbers. Even if there are only 10 possible digits, the phone number itself is ten digits long, and likely only the last seven digits will likely be unique.

It was so much easier years ago when I was younger... the area code was always the same, the following three-digit prefix was always one of only two or three three possibilities, and the last four digits were really the only ones that were different. Now cell phones seem to rule the country, and while the area code tends to remain the same it seems that every cell phone provider has a different prefix (and some of them seem to be getting more than one these days in my area).

I know what you mean about the Win98 (and later XP) registration key though... I used to have mine almost (but not quite) completely memorized for the same reason. No idea what they were now, though. If I am forced to enter something enough times, I'll eventually remember it (or at least parts of it) whether I want to or not.

those stories are pretty crappy. way to confuse people so they dont improve their passwords

all you need to know is you should have a passphrase. the details of password security are irrelevant. the solution is passphrase. it is not maximum protection, but it is good enough and better than what people already use.

Passphrases don't work everywhere. Many sites either won't let you have spaces, require you to have numbers, limit you between 8 and 12 characters, disallow certain punctuation marks, etc. In principal I actually agree with you (although I doubt people would pick more secure passphrases than they currently pick passwords now). The other thing we really need is intelligence on the part of people who design service web sites. There is no reason, for example, that a dictionary attack should ever work, ditto for brute force attacks. If someone tries a wrong password more than three times, the account should be locked and the account owner notified at once by all means of contact that they have on file. A temporary block on the IP address initiating said transaction wouldn't be unwise as well. That account will then be absolutely disabled until the account owner can take whatever steps necessary to reactivate it and, in the mean time, good luck hacking into a disabled account with a dictionary. Period. That is as it should be. Sadly, it seems like very few institutions, including banks and other financial sites, don't implement such basic security for the sake of convenience. I would think that the potential inconvenience of a three-strike password would outweigh the inconvenience if, let's say, your bank account gets hacked and someone takes all your cash. No, it won't protect against key logger trojans and other, more sophisticated forms of attack but, if you've got a key logger on your machine, no amount of strong passwording is going to help you anyway.
Security is a two-way street. Intelligence on the part of the end-user, and intelligence on the part of the system designer. Both, sadly, are lacking right now. Password safety is not rocket science, and that applies to both parties.

Words like "compact", "disks", "are", "old", "dogs", "eat", "poop, "but, "I", "dont" and so on would be a simple target. Concatenating simple words to form a new word perfectly fits the current startup naming culture. No need to introduce spelling errors here. :-)

An alternative is to learn intendedly "mis-spelled" artificial words that you can remember easily, but that won't show up in any directory, not even partially.

Some examples:

Mowdoodenlompar
Gnortlingsobiddenpoul
Gickbreddlequeckenrommodune

You can easily pronounce them and "learn their written representation". You could even say them to someone, but without the knowledge on how to write them it won't be useful.

A slight modification of this approach is to write one of the words of your native language in either a typeface-oriented or a pronounciation-oriented "emulation".

Examples:

WKOJIANgOM
derived from школаидом - школа и дом (school and house)

Rule: Make the word look as if it would have been written with cyrillic letters. Use phantasy as needed.

Advantage: As long as you restrict yourself to the "normal letters", you can even enter the password in "severely limited environments", e. g. in those where you cannot enter "non-english characters" maybe due to a misconfiguration or missing support.

Meh. Only your first example has both capital letters and symbols (in this case, a single exclamation point), and your second one has one single capital letter. Your last two win the length contest, but they're still only lower case letters. They would probably also fail a dictionary attack relatively easily. So I disagree; those passwords are actually quite weak. They're probably better than what most people use, though. Use a mix of lowercase, caps, numbers *and* symbols for the best effect...

so far I've got no proof of what I said, and you've got proof of what I said. not looking good for you so far, but thanks:

passwords longer than nine or 10 characters require rainbow tables with unwieldy file sizes. That leaves only a small sweet spot of seven or eight characters where rainbow tables are especially useful these days.

so far I've got no proof of what I said, and you've got proof of what I said. not looking good for you so far, but thanks:

Clearly you just skipped to the pretty pictures because that article repeatedly talked about how the preferred method of attack has now shifted to using advanced dictionary attacks which are fine tuned to crack passphrases. In that that was pretty much the basis for the whole f--king story.

The quote you lifted was just in reference to the older technique of using rainbow tables and how it's modern applications are limited due to better cracking routines and more powerful computers. So it's not even relevant to this discussion.

But who actually gives a shit about facts when you can instead offer up security advice like the egotistical novice that you are. And what's the point in talking to me like a human being when you can act like a complete c*nt instead. After all, what's the point in using intelligence and research to make a point when you can hide your stupidity behind blind arrogance. Smoothly done asshole. <_<

I didn't even read your posts or the ones your are replying to but when you've come to this, you know it's time to take a break. It doesn't matter if you are right or wrong, this is just a web comment section that 4 people read in total. Cool down man.

I didn't even read your posts or the ones your are replying to but when you've come to this, you know it's time to take a break. It doesn't matter if you are right or wrong, this is just a web comment section that 4 people read in total. Cool down man.

Yeah, I'm giving up on this article now. Too many pseudo-technical people clinging on to old ideal and who are too stubborn to read anything recent on the topic.

Considering how fast paced the technology industry is, I'm amazing how slow some professionals are to update on the latest security methods

But then I shouldn't really care, I get paid to fix the mistakes that those novices introduce

- http://openid.net/ and http://oauth.net/ Some examples: Google-, Yahoo-, Hotmail-account, Twitter- and yes even Facebook connect is based on oAuth. At least Google and probably others also have 2 factor authentication.

Where I work, there's about 5 different passwords we have to remember, and they make us change them all at least once every couple of months. Not only that, but you can't have a password that's similar to a previous one, and you can't use a password that you've used in the last 10 rotations. They seem determined to make people memorize a new, random string of letters and numbers every rotation, along with at least one uppercase character, one letter from the Chinese alphabet, and I think the symbol for Boron as well.

There's only one problem though... virtually NOBODY is going to do that!! I would imagine most people probably either keep their passwords written down in a drawer (yeah, real secure ) or else use keyboard macros like I do. I understand the need for strong passwords, but some companies get WAAAAAAAAY too overzealous with the practice.

I hear you! I have the exact same problem. It's particularly bad because I'm a support person, so I'm always switching computers. It's really a big productivity loss to constantly have password changes and hassles.

One place I worked at put all the hundreds of passwords into a spreadsheet. Of course, since it was shared by the 10 people on the team, someone would always corrupt the spreadsheet file. What a mess!

Worst of all was when I'd be on call, get the call at 2 am, and find that some dope had updated the password on some server and forgot to update the password spreadsheet. So here you are beeped at 2 am to solve some problem, only to find yourself unable to log in. Yuck!

I personally just use Keepass2 to keep my passwords safe. The password database is very strongly encrypted so if you have a strong password for the database there is no way anyone is going to get to the actual contents of the database. Once in Keepass2 allows you to create passwords automatically, allowing you to specify things like which character set to use, how many characters, should there be special characters and so on and so forth. Also, once you copy a password or username from the database to clipboard Keepass2 will empty the clipboard after 10 or 15 seconds, making sure you won't even accidentally reveal your passwords.

I have a strong password set up for the database, I always store any new login stuff in there, and I keep a copy of the database on my desktop, mobile phone, server and in the cloud so that even if one -- or even multiple -- devices were to break I'd still always have a copy somewhere. Also, the Android - app is handy on-the-go.

Didn't you read the article? You can't trust password managers because, uh, if someone steals your computer all your passwords are lost. Too bad it's completely impossible to have them backed up somewhere and encrypted. Yeah....

It's kind of interesting that Mr Kocher makes the oldest mistake of all: keeping the passwords on a note in his wallet. Obviously much safer than a password manager with an encrypted database. Apparently it's also impossible to have your wallet stolen. Wtf?

I have a strong password set up for the database, I always store any new login stuff in there, and I keep a copy of the database on my desktop, mobile phone, server and in the cloud so that even if one -- or even multiple -- devices were to break I'd still always have a copy somewhere. Also, the Android - app is handy on-the-go.

Yikes. I wouldn't want to store my passwords on my phone or laptop or any other computer I take with me even occasionally or on any USB thumb drive... but there's no way in hell you'd ever see me put all my password in a file up in the "cloud." Even if they were first encrypted in a database file. Just not gonna happen. I just don't have that kind of trust.

Yikes. I wouldn't want to store my passwords on my phone or laptop or any other computer I take with me even occasionally or on any USB thumb drive... but there's no way in hell you'd ever see me put all my password in a file up in the "cloud." Even if they were first encrypted in a database file. Just not gonna happen. I just don't have that kind of trust.

The Keepass2 password database is encrypted with 256-bit Twofish. You'd need a quantum computer to be able to crack that in any sort of a feasible time. No, using something like that Amazon cloud computing service would still need way more time for cracking that open than I have years left in me. Since there are no fully-functioning quantum computers yet, and I'm not a high-profile target anyways...

That's the thing about encryption, you don't need trust.
The chances that your cloud provider will take so much interest in you that they will use all their computing power to break into your (hopefully Twofish or AES) encrypted password database is minuscule.
Even if they do you'll probably have changed all the passwords by the time they actually manage to brute-force it.

The chances that your cloud provider will take so much interest in you that they will use all their computing power to break into your (hopefully Twofish or AES) encrypted password database is minuscule.
Even if they do you'll probably have changed all the passwords by the time they actually manage to brute-force it.

Who's to say it's the cloud provider that will try to do the snooping? I actually didn't mean that with what I originally said. These companies run public servers, and they're not exactly unknown servers... they're well-known, and up for potential attack from anyone, anywhere on the Internet. They're big, easy targets. It's security breaches I would be worried about when putting a file containing *all* of my passwords on a server somewhere on the Internet.

Someone just has to breach the server's security and then take what they can. They can then post all the files they can manage to get on a server somewhere where they and their cracker buddies download away and have a field day playing games seeing who can crack the most password files the fastest. And if there's ever a vulnerability found that allows crackers to easily break the encryption code and read the contents of the file... well, now every single one of your passwords can be found by just accessing one file that's been made publicly available on the Internet to anyone.

I have a bad memory, very horrible.
So, this is what I do, I split myself into three online personas.

One I use for games of any kind, always, and I mean always the same password, if they get hacked, I just have them send a mail and reset it. Never needed though, because virtually nobody cares about the games I play.

The second, is for my alternate life online, for this I have yet another password, but I add a number to the end and change it for every site I need.

Third, the RL persona, the one that I use the least, but care for the most, I almost never use it for trivialities, except to establish a personal and professional presence online.

Emails, I have a gmail account for each, none are linked to eachother in any way.
The first one, has a password, based on the one used for games.
Second address, same thing.
and last one, the most important has 40 characters, azAZ09.

But what's the most important, is the fact that other than the email passwords and the one I use in games, I don't memorize anything else.

Because I keep the browser open 20-30 days nonstop, I actually can't remember a password I used only once weeks ago, so, it's password recovery most of the time.

“There is a very, very small handful of people who can get away with saying that they will only trust a password management system that they build themselves,” the company wrote in a blog post. “You should definitely not trust a password management system that you develop yourself.”

Found this on the net, after a simple search. My guess, people only need to read the manual.

Despite what you might hear on the news about "hackers", it's actually quite easy to encrypt things that even alphabet soup agencies would need months if not years to de-crypt.

Oh, and a word to the authors for articles about password security, stop blaming the victims, and blame the websites and the various systems with poor security because they're the ones doing the most damage.

I am a bit late to this party, but I have a nice suggestion for better online security. Use lastpass.com service and have best from both worlds:
- unique passwords for every site
- just one master password to remember
- passwords generated automatically for you
- passwords always available

Free version does everything you need (at least everything _I_ need), and they provide extensions for all major web browsers.

There is nothing I hate more that this meaningless "cloud" buzzword, but this service is just fantastic, and I love every bit of it. Everything is encrypted, and with a good master password (that you, off course, change every say 6 or 12 months), you can enjoy having unique 20 char ([0-9a-zA-Z plus special chars]) long password for every site you register on.

This was suggested to me by Firefox when I once opened add-on tab. Best suggestion ever!!

O/S/N/E/W/S Alert!
Your account will be deleted.
To prevent account deletion, reply to this post with your username and password.
------------------------------

Seriously, your password need just be good enough for the job. You don't need an armored door when the windows are wide open or the walls are made of paper. Hackers will seek the lowest hanging fruits. http://xkcd.com/538/
Use your brain online and don't rely on password for anything important. If your bank is only asking for a password to transfer money then change your bank. It should at least send you an SMS with a temporary secret code or chalenge you with something else.

CPU power is cheap, especially to crackers who have access to botnets and it will be worse when they have mobile bots. Even brute force can be done if it pays. Your password is just there to protect unimportant data from being stolen because it is cheaper to get it from another way or because it's not worth the trouble.